These VPN Services Can Easily Be Hacked
- Thread starter CaptainSTX
- Start date
st3v3n
Very Senior Member
HowIFix, well, you might ask the VPN if they're working on a fix and see if they'll refund you, or give you extra time, while they work on it, if they're actually trying to fix their configs. We received a reply from our 2nd VPN last night; they're working on fixes for all their LZO configs. Everyone is scrambling at catch up, as usual. If the VPN doesn't respond or isn't instituting a fix, if it were us, we'd request a refund and move on. Cheers.
somms
Regular Contributor
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
According to the OpenVPN man page this command is DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
FWIW: If using comp-lzo no in my OpenVPN client config fails to connect to my AC86U OpenVPN gateway server w/Merlin 384.6 flashed and I have to use just compress with empty value instead because the OpenVPN server running on my router is set for no compression...
FWIW: If using comp-lzo no in my OpenVPN client config fails to connect to my AC86U OpenVPN gateway server w/Merlin 384.6 flashed and I have to use just compress with empty value instead because the OpenVPN server running on my router is set for no compression...
Thank you, then the new option compress with empty value, turned off the compression
Is there any way to know if the Compression is Disabled? (or just Goku with his Ultra Instinct knows it)
Test with compress: (Public: Gives me IP)
Last edited:
john9527
Part of the Furniture
The compress option is the equivalent of comp-lzo, off but the server can override it.Thank you, then the new option compress with empty value, turned off the compression
Is there any way to know if the Compression is Disabled? (or just Goku with his Ultra Instinct knows it)
To check compression status, look at the VPN Status page and compression statistics. If it's off, they will all be zeros. (an example from my PIA connection)
RMerlin
Asuswrt-Merlin dev
Also. System Log should provide the necessary info (provided sufficient verbosity level).
Thanks! @john9527The compress option is the equivalent of comp-lzo, off but the server can override it.
To check compression status, look at the VPN Status page and compression statistics. If it's off, they will all be zeros. (an example from my PIA connection)
View attachment 14117
NordVPN + these options gives me Public IP and Compression Statistics on the VPN Status page show zerotes:
- Old:
- comp-lzo no
- push "comp-lzo no"
- New:
- compress
ExpressVPN only with the old option gives me Public IP and Compression Statistics on the VPN Status page show zerotes:
- Old:
- comp-lzo no
- push "comp-lzo no"
- New:
- compress (This does not give me Public IP, then the internet does not work)
I hope that I am not wrong.
Last edited:
john9527
Part of the Furniture
That actually makes sense....I forgot that NordVPN is the only VPN so far that I know that has been confirmed to have updated their servers to OpenVPN 2.4.x The rest seem to be stuck on 2.3.x
So NordVPN works with the 'new' compress option and ExpressVPN works with the 'old' comp-lzo option.
I remember that I looked for some way to tell for sure what the server level was and could never find it.
RMerlin
Asuswrt-Merlin dev
StrongVPN seems to be running 2.4.x as well, since they support NCP and AES-256-GCM:
Code:
Aug 18 20:13:14 ovpn-client3[813]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 18 20:13:14 ovpn-client3[813]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 18 20:13:14 ovpn-client3[813]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
RMerlin
Asuswrt-Merlin dev
First one indicates OpenVPN 2.4.x with AES-256-GCM. Second one is old-school AES-256-CBC + HMAC, which probably indicate OpenVPN 2.3.x.
GCM ciphers don't need a separate HMAC, making them more efficient.
CaptainSTX
Part of the Furniture
Here is a statement from PIA posted on their web site regarding the article:
We’ve seen recent reporting that implies PIA is vulnerable to the ‘VORACLE’ exploit. From our internal investigation, we are not vulnerable as compression is not enabled on the Private Internet Access service.
Compression was disabled on the 26th December 2014 within the server configuration which supersedes the local configuration and will overrule potential settings presented by the configuration file.
This prevents the VORACLE exploit from occurring as according to the researcher’s slides and results, compression must be enabled for the attack to be used against a VPN service.
To confirm that compression was disabled from the server-side, we checked the configuration settings from the OpenVPN command line (with verb 4 enabled) to show the exact push statement disabling it:
“Mon Aug 13 16:12:59 2018 us=472321 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.31.10.1,topology net30,ifconfig 10.31.10.6 10.31.10.5,auth-token'”
We also confirmed that our Mobile platforms (Android and iOS) are also superseded by the server configuration and do not allow compression.
We are in contact with the researcher and will keep you updated if we see any evidence to the contrary. Additionally, we will endeavour to make sure any such reporting around this in relation to Private Internet Access is correct. For clarity;
“The list of VPN providers on my slides were just to help the audience understand the kind of vpns that the talk was dealing with. Not that all of those vpns were vulnerable. In fact, there are many VPN providers using OpenVpn and they could have this. This is why I worked with the OpenVPN team directly. Their usage [guidelines] now clearly talk about the security issues when compression is enabled."- Ahamed Nafeez
As always, we would like to thank the researcher, and all security researchers, for helping expose issues in security software and making end users safer.
We’ve seen recent reporting that implies PIA is vulnerable to the ‘VORACLE’ exploit. From our internal investigation, we are not vulnerable as compression is not enabled on the Private Internet Access service.
Compression was disabled on the 26th December 2014 within the server configuration which supersedes the local configuration and will overrule potential settings presented by the configuration file.
This prevents the VORACLE exploit from occurring as according to the researcher’s slides and results, compression must be enabled for the attack to be used against a VPN service.
To confirm that compression was disabled from the server-side, we checked the configuration settings from the OpenVPN command line (with verb 4 enabled) to show the exact push statement disabling it:
“Mon Aug 13 16:12:59 2018 us=472321 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.31.10.1,topology net30,ifconfig 10.31.10.6 10.31.10.5,auth-token'”
We also confirmed that our Mobile platforms (Android and iOS) are also superseded by the server configuration and do not allow compression.
We are in contact with the researcher and will keep you updated if we see any evidence to the contrary. Additionally, we will endeavour to make sure any such reporting around this in relation to Private Internet Access is correct. For clarity;
“The list of VPN providers on my slides were just to help the audience understand the kind of vpns that the talk was dealing with. Not that all of those vpns were vulnerable. In fact, there are many VPN providers using OpenVpn and they could have this. This is why I worked with the OpenVPN team directly. Their usage [guidelines] now clearly talk about the security issues when compression is enabled."- Ahamed Nafeez
As always, we would like to thank the researcher, and all security researchers, for helping expose issues in security software and making end users safer.
doczenith1
Very Senior Member
I believe PIA is using 2.4.x also as their Android app lists the GCM ciphers as options.
RMerlin
Asuswrt-Merlin dev
They still use AES-128-CBC tho (or at least they never enabled NCP).
st3v3n
Very Senior Member
Parker55, No need to avoid using OpenvVPN at all. Most of the VPN providers either fixed/changed their configurations to address the problem or stated they were working on a fix. Whatever provider you're interested in, the best way to find out about how they address this, is to contact their tech support and ask. If they're on the ball, they'll get back to you quickly if you ask the correct questions. As always, continue researching and reading; there are always new threats popping up every day. Cheers.
st3v3n
Very Senior Member
As usual with all providers, YMMV with each provider; they try to provide consistency across their network, and it depend on location, the customer's ISP/provisioning deliver, user's equipment/skill, etc. The more work a user puts into it, the better results you get. Many providers have disabled LZO and will usually advise customers to disable or turn it off in certain configs. Others instituted fixes, but it's the tip of the iceberg. The bad guys will never quit. As long as your VPN provides the security and level of privacy you need and pay for, that's what counts. We spent months evaluating different VPN providers then selected the two we've stayed with. Different parts of their network provides different levels of performance. The bad actors also use VPN providers, who have to play a balancing act, by not snooping on legitimate customer traffic, yet weeding out and removing bad actors. We thank the researchers who work to locate and publicize the exploits. Cheers
Similar threads
Similar threads
Similar threads
-
-
-
-
-
-
-
-
Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists
- Started by Freewill0592
- Replies: 2
-
-
Latest threads
-
-
-
-
Can't get 2gbps to my unraid server
- Started by zekesdad
- Replies: 2
-
changed AC68U to AX86U Pro, same guest network setting but all devices gone?
- Started by Heronimos
- Replies: 4
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!